Blogs

About this blog

MUNSHI works on IaaS & PaaS at Red Hat. And a former IBM Systems Lab Services Consultant at IBM Malaysia. He has written in particular about Linux on Power, AIX and Power{VC, HA, VM, KVM, SC} on IBM developerWorks.

i. Audit events are generally defined at a system call level ( a single operation of a AIX command):

# vi objects

ii. Auditing objects refers to individual files that will be monitored:

# vi events

3. To customized the bincmds file:

The bincmds file contains commands that process audit bin data. With the auditselect command, we can filter the audit trail to obtain specific records for analysis or select specific records for long-term storage.

# vi bincmds

4. To make sure the group permission on all the Audit config file:

if required:

# chgrp -R audit /etc/security/audit/

# chmod g=r /etc/security/audit/*

4. To make sure the Audit service start and stop automatically at system startup:

i. Below entry should be add in /etc/inittab to start audit service:

# vi /etc/inittab

audit:2:once:/usr/sbin/audit start 2>&1 > /dev/console

# grep audit /etc/inittab

ii. To stop auditing properly, add the following line to/usr/sbin/shutdown:

# vi /usr/sbin/shutdown

/usr/sbin/audit shutdown

# grep audit /usr/sbin/shutdown

Note: If you do not stop auditing properly and you reboot the system, the auditb file will not be deleted. In this case, after the reboot, the auditb file can become a false indicator that BIN auditing is running.